Update documentation to reflect 3.3.6

1 files changed, 60 insertions, 16 deletions

diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4
index d93e598ac50..a818ec16229 100644
--- a/sbin/ipf/ipf.4
+++ b/sbin/ipf/ipf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ipf.4,v 1.16 1999/11/23 22:27:31 deraadt Exp $
+.\"	$OpenBSD: ipf.4,v 1.17 2000/01/07 07:45:03 kjell Exp $
 .TH IPF 4
 .SH NAME
 ipf \- packet filtering kernel interface
@@ -26,7 +26,19 @@ However, the full complement is as follows:
 	ioctl(fd, SIOCRMIFR, struct frentry *)
 	ioctl(fd, SIOCINAFR, struct frentry *)
 	ioctl(fd, SIOCINIFR, struct frentry *)
+	ioctl(fd, SIOCSETFF, u_int *)
+	ioctl(fd, SIOGGETFF, u_int *)
+	ioctl(fd, SIOCGETFS, struct friostat *)
 	ioctl(fd, SIOCIPFFL, int *)
+	ioctl(fd, SIOCIPFFB, int *)
+	ioctl(fd, SIOCSWAPA, u_int *)
+	ioctl(fd, SIOCFRENB, u_int *)
+	ioctl(fd, SIOCFRSYN, u_int *)
+	ioctl(fd, SIOCFRZST, struct friostat *)
+	ioctl(fd, SIOCZRLST, struct frentry *)
+	ioctl(fd, SIOCAUTHW, struct fr_info *)
+	ioctl(fd, SIOCAUTHR, struct fr_info *)
+	ioctl(fd, SIOCATHST, struct fr_authstat *)
 .fi
 .PP
 The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
@@ -45,21 +57,24 @@ which it is inserted is stored in the "fr_hits" field, below.
 typedef struct  frentry {
         struct  frentry *fr_next;
         u_short fr_group;       /* group to which this rule belongs */
-        u_short fr_head;        /* group # which this rule starts */
+        u_short fr_grhead;      /* group # which this rule starts */
         struct  frentry *fr_grp;
         int     fr_ref;         /* reference count - for grouping */
-        struct  ifnet   *fr_ifa;
+        void	*fr_ifa;
+#if BSD >= 199306
+        void	*fr_oifa;
+#endif
         /*
-         * These are only incremented when a packet  matches this rule and
+         * These are only incremented when a packet matches this rule and
          * it is the last match
          */
-        U_QUAD_T  fr_hits;
-        U_QUAD_T  fr_bytes;
+        U_QUAD_T	fr_hits;
+        U_QUAD_T	fr_bytes;
         /*
          * Fields after this may not change whilst in the kernel.
          */
         struct  fr_ip   fr_ip;
-        struct  fr_ip   fr_mip;
+        struct  fr_ip   fr_mip; /* mask structure */
 
         u_char  fr_tcpfm;       /* tcp flags mask */
         u_char  fr_tcpf;        /* tcp flags */
@@ -73,11 +88,15 @@ typedef struct  frentry {
         u_short fr_sport;
         u_short fr_stop;        /* top port for <> and >< */
         u_short fr_dtop;        /* top port for <> and >< */
-        u_long  fr_flags;       /* per-rule flags && options (see below) */
-        int     fr_skip;        /* # of rules to skip */
-        int     (*fr_func)();   /* call this function */
+        u_32_t  fr_flags;       /* per-rule flags && options (see below) */
+        u_short fr_skip;        /* # of rules to skip */
+        u_short fr_loglevel;    /* syslog log facility + priority */
+        int     (*fr_func) __P((int, ip_t *, fr_info_t *));
         char    fr_icode;       /* return ICMP code */
         char    fr_ifname[IFNAMSIZ];
+#if BSD > 199306
+        char	fr_oifname[IFNAMSIZ];
+#endif
         struct  frdest  fr_tif; /* "to" interface */
         struct  frdest  fr_dif; /* duplicate packet interfaces */
 } frentry_t;
@@ -102,7 +121,8 @@ Flags which are recognised in fr_pass:
      FR_LOGBODY      0x000020   /* log the body of packets too */
      FR_LOGFIRST     0x000040   /* log only the first packet to match */
      FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
-     FR__RETICMP     0x000100   /* return an ICMP packet if blocked */
+     FR_RETICMP      0x000100   /* return an ICMP packet if blocked */
+     FR_FAKEICMP     0x00180    /* Return ICMP unreachable with fake source */
      FR_NOMATCH      0x000200   /* no match occurred */
      FR_ACCOUNT      0x000400   /* count packet bytes */
      FR_KEEPFRAG     0x000800   /* keep fragment information */
@@ -138,9 +158,12 @@ comparisons) :
 The third ioctl, SIOCIPFFL, flushes either the input filter list, the
 output filter list or both and it returns the number of filters removed
 from the list(s).  The values which it will take and recognise are FR_INQUE
-and FR_OUTQUE (see above).
+and FR_OUTQUE (see above). This ioctl is also implemented for
+.Pa /dev/ipstate
+and will flush all state tables entries if passed 0 or just all those
+which are not established if passed 1.
 
-\fBGeneral Logging Flags\fP
+.IP "\fBGeneral Logging Flags\fP" 0
 There are two flags which can be set to log packets independently of the
 rules used.  These allow for packets which are either passed or blocked
 to be logged.  To set (and clear)/get these flags, two ioctls are
@@ -159,7 +182,7 @@ those provided (clearing/setting all in one).
 Takes a pointer to an unsigned integer as the parameter.  A copy of the
 flags currently in used is copied to user space.
 .LP
-\fBFilter statistics\fP
+.IP "\fBFilter statistics\fP" 0
 Statistics on the various operations performed by this package on packets
 is kept inside the kernel.  These statistics apply to packets traversing
 through the kernel.  To retrieve this structure, use this ioctl:
@@ -174,7 +197,12 @@ struct  friostat        {
         struct  frentry         *f_acctin[2];
         struct  frentry         *f_acctout[2];
         struct  frentry         *f_auth;
-        int     f_active;
+        u_long  f_froute[2];
+        int     f_active;       /* 1 or 0 - active rule set */
+        int     f_defpass;      /* default pass - from fr_pass */
+        int     f_running;      /* 1 if running, else 0 */
+        int     f_logging;      /* 1 if enabled, else 0 */
+        char    f_version[32];  /* version string */
 };
 
 struct	filterstats {
@@ -196,12 +224,28 @@ struct	filterstats {
         u_long  fr_chit;        /* cached hit */
         u_long  fr_pull[2];     /* good and bad pullup attempts */
 #if SOLARIS
-        u_long  fr_bad;         /* bad IP packets to the filter */
+        u_long  fr_notdata;     /* PROTO/PCPROTO that have no data */
+        u_long  fr_nodata;      /* mblks that have no data */
+	u_long  fr_bad;         /* bad IP packets to the filter */
         u_long  fr_notip;       /* packets passed through no on ip queue */
         u_long  fr_drop;        /* packets dropped - no info for them! */
 #endif
 };
 .fi
+If we wanted to retrieve all the statistics and reset the counters back to
+0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
+In addition to the statistics above, each rule keeps a hit count, counting
+both number of packets and bytes.  To reset these counters for a rule,
+load the various rule information into a frentry structure and call
+SIOCZRLST.
+.IP "Swapping Active lists" 0
+IP Filter supports two lists of rules for filtering and accounting: an
+active list and an inactive list.  This allows for large scale rule base
+changes to be put in place atomically with otherwise minimal interruption.
+Which of the two is active can be changed using the SIOCSWAPA ioctl.  It
+is important to note that no passed argument is recognised and that the
+value returned is that of the list which is now inactive.
+.br
 .SH FILES
 /dev/ipauth
 .br